It is possible to use a non administrator user to access iControl REST. It does require a bit of setting up to get it working.
K84925527: Overview of iControl permissions
First you must create your user,
Here I create the guest user as 'notadmin' with password 'notadminpw'
(tmos) create auth user notadmin partition-access add { all-partitions { role guest } } shell tmsh password notadminpw
Next you must find the selflink value for the user you have created (assuming your admin ID is 'admin' and password is 'secret'.)
curl -s -k -u admin:secret https://localhost/mgmt/shared/authz/users | jq .
you will see the output which will appear similar to this below..
{
"items": [
.....
{
"name": "notadmin",
"displayName": "notadmin",
"encryptedPassword": "$6$Randomized_Characters_Of_Password",
"generation": 1,
"lastUpdateMicros": 1519056227960605,
"kind": "shared:authz:users:usersworkerstate",
"selfLink": "https://localhost/mgmt/shared/authz/users/notadmin"
},
.......
],
"generation": 11,
"kind": "shared:authz:users:userscollectionstate",
"lastUpdateMicros": 1519056227962971,
"selfLink": "https://localhost/mgmt/shared/authz/users"
}
Locate the value for 'selfLink' for the user notadmin, here is is shown as
The next command will alter that userID so that it can be used for iControl REST, ensure that you set the 'link' value to be the same as the 'selfLink' value extracted in the step above.
curl -s -k -u admin:secret --request PATCH --data '{"userReferences":[{"link":"https://localhost/mgmt/shared/authz/users/notadmin"}]}' https://localhost/mgmt/shared/authz/roles/iControl_REST_API_User | jq .
This will produce a lot of output.
After this command you can then issue iControl REST command using your non-admin user id 'notadmin'
curl -s -k -u notadmin:notadminpw https://localhost/mgmt/tm/ltm/virtual | jq .
I hope this is helpful - obviously you want to create a user with Resource Administrator role.